Using the Emergency Text Notification System and HIPAA Compliance

Businesses governed by HIPAA regulations need to be mindful whenever using emergency text notification systems and ensure not to disclose Protected Health Information (PHI) without authorization. It can be quite difficult to adhere to HIPAA compliance policies during an emergency. However, some preparation could help offset the chances of a HIPAA breach.

Businesses could use emergency text notification systems to effectively alert employees regarding an emergency episode (such as severe weather, fires, and active shooter events), particularly when they are built with other alert systems like sirens, digital signage, and visual alarms. However, healthcare organizations and medical personnel are covered by HIPAA regulations, which do not allow the unauthorized disclosure of PHI.

Under typical situations, it is hard to think of cases wherein businesses send an emergency text notification that include PHI. Even so, in a tense emergency case, there is a chance that medical employees might unintentionally disclose PHI when giving an emergency text notification. Or perhaps other people might receive the notification with PHI and forward it to other persons.

Are Emergency Text Notification Systems HIPAA Compliant?

Emergency text notification systems send communications through several communication channels. Since the devices that receive the notifications do not have mechanisms for compliance with the technical requirements of the HIPAA Security Rule, like automatic log-off, access controls, and encryption, emergency text notification systems are not HIPAA-compliant. In addition, copies of SMS text messages, social media postings, and email messages stay permanently in the service providers´ servers and there’s no way to retract them.

Regardless, emergency text notification systems, particularly those with alarm systems integration, are the best way to meet the Communication Plan prerequisites of the CMS´ Emergency Preparedness Rule. The system could also help coordinate emergency response and ensure business continuity while in a continuing emergency situation. Hence HIPAA covered entities should take steps to minimize the chances of a HIPAA breach. How is that possible?

Mitigation of the Risk of a HIPAA Breach Due to Emergency Text Notifications

The most effective way to stop accidental PHI disclosures in an emergency text notification is to prepare notification templates ahead of time. The CMS´ Emergency Preparedness Rule states that healthcare organizations need to plan responses to situations like pandemics, natural mishaps, and nuclear explosions. It is also advisable to have notification templates for incidents like fires, active shooters, and severe weather conditions.

To avoid sending of emergency text notifications to people who are not the intended recipients, the personnel database ought to be grouped by role, area or other parameters in order to make sure that messages are sent to the right person at the proper time. In case of an active shooter, for instance, you only want the people in the immediate area to start a lockdown. Notifying everybody else with regards to the situation may cause an unwanted panic that might affect emergency response efforts.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at